Hacktivists are reportedly taking credit for a data breach impacting Bank of America - an incident the hackers claim allowed them to access employee and executive data stored through a third party. In a March 5 response to BankInfoSecurity, Bank of America reportedly confirmed a third-party compromise is to blame for the data leak.

According to Steve Gibbs, assistant vice president of Compliance Resources, third-party vendors are playing an increasingly important role in the financial services industry as financial institutions strive to become more competitive and expand member services. While the goal of outsourcing is generally creating value for members and improving the financial position of the credit union, it can also create a significant risk for those who fail to perform proper due diligence when selecting and managing vendor relationships.

When using third vendors, Gibbs says the following are critical considerations:

Planning

When a third party vendor is reviewed, there should be expectations for this potential relationship that are understood and documented by management. Criticality of relationship is another factor that may affect decisions on whether or not to retain a particular company. Ultimately, there should be competent staff to deal with the vendor; the cost-benefit relationship should be advantageous for all parties; insurance should be in place to mitigate any liability; impact on members should be positive. As with any relationship, leaving a desirable format for exit may prove beneficial at some future time.

Risk Assessment

It appears that risk assessment is tied-in to many sectors of operations and due diligence is no different. Every risk factor should be analyzed and methods of mitigation outlined. Recognizing risk early is the best way to manage it.

Financial Projections

A third party vendor’s effect on the bottom line is a very crucial decision factor. Forecasting potential financial outcomes, taking into account return on investment, expected revenues, and costs (direct and indirect), provide a financial “road map” of potential financial problems or issues that might arise. Additionally, the decision to engage a third party should be evaluated in context of the credit union’s strategic plan and overall asset/liability management framework. Reasonableness, past performance, business plan objectives and risk profile are among items to be taken into account.

According to Gibbs, basic due diligence should include (at the very least):